I have this code:
$var = mysqli_real_escape_string($connection,$_POST['var']);
$sql = "UPDATE users SET var = '$var' WHERE id = '$id'";
If the var is aaa, it's ok, even if the var is aa'bbb, but if the var is sss"ddd - the var that updated is just sss. I know it's because the mysql query contains ".
Any idea?
You can try as per below-
SET @qry=CONCAT('UPDATE users SET var = "',REPLACE(@var,'"','\''),'" WHERE id = \'457\'');
PREPARE stmt FROM @qry;
EXECUTE stmt;
DEALLOCATE PREPARE stmt;
Before starting with PHP you have to learn HTML basics first.
Also, you have to understand the difference between two.
So, don't blame PHP for your incomplete HTML.
Open page source and see your sss"ddd sound and safe, however spoiling HTML like this
<input value="sss"ddd">
and from now on pass every form value through htmlspecialchars()
you can try writing your query like this
$var = mysqli_real_escape_string($connection,$_POST['var']);
$sql = 'UPDATE users SET var = "'.$var.'" WHERE id = "'.$id.'"';